Security researchers at Kasperky Lab and FireEye confirm that the upward trend of ransomware is continuing and has emerged as a top threat to business
Malware that encrypts key data and demands a ransom for its release has emerged as a top threat to business, according to researchers at security firms Kaspersky Lab and FireEye.
The latest report from security firm Kaspersky Lab reveals that the first quarter of 2016 saw a spike in the use of so-called ransomware attacks, which researchers said could become the main problem of 2016.
According to Kaspersky Lab, the company’s database includes around 15,000 ransomware modifications, and the number continues to grow.
Of the 345,900 ransomware attacks blocked in the first quarter, the security firm said 17% targeted the corporate sector. The number of new pieces of mobile ransomware increased to 2,895, up 46% compared with the previous quarter.
One of the most widespread attacks in the first quarter of the year was Locky, which Kaspersky Lab detected in 114 countries.
The top three ransomware families were Teslacrypt (58%), CTB-Locker (24%) and Cryptowall (3%), which all spread mainly through spam emails with malicious attachments or links to infected web pages.
A ransomware called Petya was interesting from a technical perspective, said Kaspersky Lab.
Petya can not only encrypt data stored on the computer, but can overwrite the hard disk drive’s master boot record (MBR), leaving infected computers unable to boot into the operating system (OS). This represents significant technological innovation in ransomware, the researchers said.
“One of the reasons why ransomware has become so popular lies in the simplicity of the business model used by cyber criminals,” said Aleks Gostev, chief security expert in Kaspersky Lab’s Global Research and Analysis team.
“Once the ransomware gets into the users’ system, there is almost no chance of getting rid of it without losing personal data. The demand to pay the ransom in bitcoins makes the payment process anonymous and almost untraceable, which is very attractive to fraudsters,” he said.
Another reason for the rise in ransomware attacks, according to Kaspersky Lab, is that those targeted by them believe the threat is unbeatable.
“Businesses and individuals are unaware of the technological counter-measures that can help to prevent infection and files being locked up. By ignoring basic IT security rules, they allow cyber criminals to profit,” said Gostev.
A threatening trend, said Gostev, is the ransomware-as-a-service business model, where cyber criminals pay a fee for the propagation of malware or promise a percentage of the ransom paid by an infected user, making it easier than ever to carry out this type of attack.
Kaspersky Lab researchers said there are also services that work the other way round, offering a complete set of tools to the encryptor who takes responsibility for distributing the Trojan and takes 10% of the ransom as commission.
The Kaspersky researchers also reported instances of well-known Chinese and other attack groups using ransomware.
“If these incidents become a trend, the threat will move to a new level because the damage caused by ransomware is not much different from that caused by Wiper-type Trojans. In both cases, user data becomes inaccessible,” the Kaspersky Lab report said.
Another worrying trend, the Kaspersky Lab researchers said, is that ransomware Trojans are expanding their sphere of activity, with CTB-Locker targeting web servers.
According to the data gathered by FireEye, the upward spiral of ransomware began accelerating in the second half of 2015.
The development of families with new anti-detection or encryption methods suggests enough victims are paying consistently enough to motivate cyber criminals to constantly improve their malicious code, FireEye researchers said.
FireEye released a regional advanced threat report for Europe, the Middle East and Africa for the second half of 2015, based on data from FireEye’s Dynamic Threat Intelligence cloud service.
In the report, FireEye said ransomware continues to pose a threat to organisations, and the malware development lifecycle is so short that many organisations continue to struggle defending against compromises.
Overall, the UK remains one of the most targeted countries in the region for advanced attacks, the report said.
The most targeted industries in the UK are financial services (38%), education (15%) and energy/utilities (14%), which account for more than two-thirds of all observed attacks in 2015.
These were followed by aerospace and defence (11%), telecoms (9%), entertainment/media/hospitality (6%) and government (4%).
“As well as a staggering rise in ransomware detection, in the second half of 2015 we uncovered a high increase of alerts in almost all industries in the UK. It’s time for organisations to understand their enemy,” said Richard Turner, regional president at FireEye.
However, the UK has dropped from number five in the first half of 2015 to number six in the second half, level with Israel, Belgium/Luxembourg and Germany, with 9% of all advanced targeted threats detected.
Turkey emerged as the country with the most advanced targeted threats detected in the second half of 2015 by a wide margin, accounting for 27% of detections, despite not even featuring in the top five in the first half of 2015.
Persistent regional tensions in Turkey and conflicts in neighboring states were a likely driver of nation-state threat activity, FireEye researchers said. The country’s high level of internet connectivity also makes it ripe for opportunistic and more advanced cyber crime operations, they said.
“The threat landscape is changing every day and organisations need to seek any advantage they can find to try and stay one step ahead of the attackers,” said Turner.
“The evidence highlighted in this report demonstrates that geopolitical, financial and economic changes happening in the region are increasingly mirrored in the cyber security world.
“Organisations are only as strong as their ability to adapt, and it’s essential to have the tools in place to return to normal as quickly as possible in the event of a breach,” he said.